Recent content by berford

PIX 501

Vargas, Simple question. When you use the client and connect over the VPN, where is the DNS? Inside or outside the Firewall? Where does the client think the DNS is? Remember traffic woun't go back out of the Firewall without hitting a router first. Liberty for All, Brian

Silva, Only you and those at your company know your requirements and acceptable risk; so its difficult to comment on the "right way" to design this solution. Regarding your questions: QUOTE 1- buy a Failover PIX and set up the DMZ on both PIX 525 and PIX FO 525 and the configure one...

mikelehnert, You don't have a "nat" or "global" statement in the configuration. Given that, the PIX doesn't know how to move packets from the inside to the outside. These statements determine if the PIX uses real IPs (which I think you want), NAT (Network Address...

What does your config look like? Is the point to point or remote access? Assuming that you are using the VPN client: Have you enabled the PIX to pass the autoconfiguration variables to the VPN clients?

If the switch and the PIX ports are set differently you can expect constant spped and duplex re-negoiation. There could also be VLAN spanning tree issues. Sounds like a configuration problem.

Things I'm particularly interested are: + On check point, there's a macintosh client VPN, what about cisco pix? > Sure. There is a MS Windows, Mac, and Linux VPN client. PIX uses the same client as the VPN 3000 and the routers. + a VPN software is loaded on the client in order to establish a...

Do a "config t" and just type no and the line. Ctrl-z to end and "wr me" to save.

I'd agree with Yizhar here. In addition you can configure soecific mail services on the mail server. Patch it and also look at the configuration.

So most of these scripts are set up to process the obvious deny connection messages and major events like when failover happens. As with most open source efforts you'll need to update those scripts to what you want to see. Liberty for All, Brian

Yeah. The problem here is that without the sysopt command the PIX enforces it's security policy on the VPN tunnel as well as outside -> in traffic. Actually Brock was right (but I agree that is an extreme measure to solve this problem.).

MJNSBF, Until you have 6.2 you cannot copy the OS image off the PIX. With v6.2 you can copy the OS image via HTTPS. I believe the instruction was probably about making a backup copy of your configuration. That makes more sense since you are upgarding the OS image. Liberty for All, Brian

Stakano, v6.2.1 works fine on a 501, 506, 506E, 515, 515E, 525, and 535. Liberty for All, Brian

Robert, IDS didn't make it into PIX OS until version 5.3. You'll need to upgrade the software imgae. While you are at it you should also claim your freee DES software key. That way you can use SSH to securely telnet to the PIX from the network. Liberty for All, Brian

When you set a port for autonegotiation you are asking for problems. If the switch decides it can "improve" the connection it will re-start the negotiation process whenever it wants. I think your situation is complicated by the fact that you have a Procurve switch. They may be good...